Merge branch 'main' into main-azure-container-apps

.github/ISSUE_TEMPLATE.md

@@ -0,0 +1,33 @@
+<!--
+IF SUFFICIENT INFORMATION IS NOT PROVIDED VIA THE FOLLOWING TEMPLATE THE ISSUE MIGHT BE CLOSED WITHOUT FURTHER CONSIDERATION OR INVESTIGATION
+-->
+> Please provide us with the following information:
+> ---------------------------------------------------------------
+
+### This issue is for a: (mark with an `x`)
+```
+- [ ] bug report -> please search issues before submitting
+- [ ] feature request
+- [ ] documentation issue or request
+- [ ] regression (a behavior that used to work and stopped in a new release)
+```
+
+### Minimal steps to reproduce
+>
+
+### Any log messages given by the failure
+>
+
+### Expected/desired behavior
+>
+
+### OS and Version?
+> Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)
+
+### Versions
+>
+
+### Mention any other details that might be useful
+
+> ---------------------------------------------------------------
+> Thanks! We'll be in touch soon.

.github/workflows/azure-dev-validation.yml

@@ -0,0 +1,30 @@
+name: Validate AZD template
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'infra/**'
+  pull_request:
+    branches: [main]
+    paths:
+      - 'infra/**'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run Microsoft Security DevOps Analysis
+        uses: microsoft/security-devops-action@preview
+        id: msdo
+        continue-on-error: true
+        with:
+          tools: templateanalyzer
+
+      - name: Upload alerts to Security tab
+        if: github.repository_owner == 'Azure-Samples'
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.msdo.outputs.sarifFile }}

.github/workflows/bicep-audit.yml

@@ -1,15 +1,15 @@
-name: Validate AZD template
+name: Validate bicep templates
 on:
   push:
     branches: 
       - main
     paths:
-      - "infra/**"
+      - "**/*.bicep"
   pull_request:
     branches: 
       - main
     paths:
-      - "infra/**"
+      - "**/*.bicep"
   workflow_dispatch:
 
 jobs:
@@ -21,15 +21,23 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Run Microsoft Security DevOps Analysis
-        uses: microsoft/security-devops-action@preview
-        id: msdo
-        continue-on-error: true
+      - name: Run PSRule analysis
+        uses: microsoft/[email protected]
         with:
-          tools: templateanalyzer
+          modules: PSRule.Rules.Azure
+          baseline: Azure.Pillar.Security
+          inputPath: infra/*.test.bicep
+          outputFormat: Sarif
+          outputPath: reports/ps-rule-results.sarif
+          summary: true
+        continue-on-error: true
+
+        env:
+          PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION: 'true'
+          PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION_TIMEOUT: '30'
 
-      - name: Upload alerts to Security tab
+      - name: Upload results to security tab
         uses: github/codeql-action/upload-sarif@v3
         if: github.repository_owner == 'Azure-Samples'
         with:
-          sarif_file: ${{ steps.msdo.outputs.sarifFile }}
+          sarif_file: reports/ps-rule-results.sarif

contoso_chat/requirements.txt

@@ -0,0 +1,7 @@
+azure-cosmos
+azure-identity==1.16.0
+azure-search-documents==11.4.0
+promptflow==1.11.0
+promptflow-tools==1.4.0
+promptflow[azure]==1.11.0
+python-dotenv==1.0.1

deployment/environment.yaml

@@ -0,0 +1,15 @@
+$schema: https://azuremlschemas.azureedge.net/latest/environment.schema.json
+build:
+  path: image_build_with_requirements
+  dockerfile_path: Dockerfile
+# inference config is used to build a serving container for online deployments
+inference_config:
+  liveness_route:
+    path: /health
+    port: 8080
+  readiness_route:
+    path: /health
+    port: 8080
+  scoring_route:
+    path: /score
+    port: 8080

deployment/image_build_with_requirements/Dockerfile

@@ -0,0 +1,3 @@
+FROM mcr.microsoft.com/azureml/promptflow/promptflow-runtime:latest
+COPY ./requirements.txt .
+RUN pip install -r requirements.txt

deployment/image_build_with_requirements/requirements.txt

@@ -0,0 +1,12 @@
+azure-cosmos
+azure-ai-ml
+azure-ai-resources
+azure-search-documents==11.4.0
+promptflow==1.11.0
+promptflow[azure]==1.11.0
+promptflow-tools==1.4.0
+azure-identity==1.16.0
+python-dotenv==1.0.1
+jsonlines
+promptflow.evals
+nbconvert

infra/ai.yaml

@@ -9,6 +9,14 @@ deployments:
     sku:
       name: Standard
       capacity: 20
+  - name: gpt-4
+    model:
+      format: OpenAI
+      name: gpt-4
+      version: "0613"
+    sku:
+      name: Standard
+      capacity: 20
   - name: text-embedding-ada-002
     model:
       format: OpenAI

infra/core/ai/hub.bicep

@@ -33,7 +33,8 @@ param publicNetworkAccess string = 'Enabled'
 param location string = resourceGroup().location
 param tags object = {}
 
-resource hub 'Microsoft.MachineLearningServices/workspaces@2024-01-01-preview' = {
+// NN:TODO resource hub 'Microsoft.MachineLearningServices/workspaces@2024-01-01-preview' = {
+resource hub 'Microsoft.MachineLearningServices/workspaces@2024-04-01' = {
   name: name
   location: location
   tags: tags
@@ -57,17 +58,37 @@ resource hub 'Microsoft.MachineLearningServices/workspaces@2024-01-01-preview' =
     }
     v1LegacyMode: false
     publicNetworkAccess: publicNetworkAccess
+    discoveryUrl: 'https://${location}.api.azureml.ms/discovery'
   }
 
-  resource openAiConnection 'connections' = {
-    name: openAiConnectionName
+/* NN:TODO
+  resource contentSafetyDefaultEndpoint 'endpoints' = {
+    name: 'Azure.ContentSafety'
+    properties: {
+      name: 'Azure.ContentSafety'
+      endpointType: 'Azure.ContentSafety'
+      associatedResourceId: openAi.id
+    }
+  }
+*/
+
+/*
+  NN:TODO
+  Connections are not in the GA Swagger - they are only in public preview of 2024-04-01-preview version
+  That is what you specify with the workspace@ version for AML API version
+  The ApiVersion specified in the metadata is for the Azure Cognitive Services version (that wraps the OpenAPI call)
+ */
+
+  resource openAiConnection 'connections@2024-04-01-preview' = { // NN:TODO Add @version to ensure resource is correctly versioned
+    name: 'aoai-connection'
     properties: {
       category: 'AzureOpenAI'
       authType: 'ApiKey'
       isSharedToAll: true
       target: openAi.properties.endpoints['OpenAI Language Model Instance API']
       metadata: {
-        ApiVersion: '2023-07-01-preview'
+        //ApiVersion: '2023-07-01-preview'
+        ApiVersion: '2024-02-01'
         ApiType: 'azure'
         ResourceId: openAi.id
       }

infra/main.test.bicep

@@ -0,0 +1,17 @@
+// This file is for doing static analysis and contains sensible defaults
+// for the bicep analyser to minimise false-positives and provide the best results.
+
+// This file is not intended to be used as a runtime configuration file.
+
+targetScope = 'subscription'
+
+param environmentName string = 'testing'
+param location string = 'westus2'
+
+module main 'main.bicep' = {
+  name: 'main'
+  params: {
+    environmentName: environmentName
+    location: location
+  }
+}

ps-rule.yaml

@@ -0,0 +1,5 @@
+# YAML: Set the AZURE_BICEP_FILE_EXPANSION configuration option to enable expansion
+configuration:
+  AZURE_BICEP_FILE_EXPANSION: true
+  AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES:
+   - resourceToken

requirements.txt

@@ -0,0 +1,10 @@
+azure-cosmos
+azure-ai-ml
+azure-ai-resources
+azure-search-documents==11.4.0
+promptflow-tools==1.4.0
+azure-identity==1.16.0
+python-dotenv==1.0.1
+jsonlines
+promptflow.evals
+nbconvert